Closed Bug 412543 Opened 17 years ago Closed 15 years ago

"ASSERTION: null frame is not allowed" and abort [@ IsPercentageAware] with :first-letter, moz-column (again)

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Version:
1.9.0 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: jruderman, Unassigned)

References

Details

(4 keywords, Whiteboard: [sg:dupe 429969])

Crash Data

Attachments

(1 file)

testcase (crashes Firefox when loaded)
231 bytes, text/html
Details 
This bug is similar to the recently-fixed bug 408493 in several ways: both testcases use -moz-column and :first-letter, and both result in the same assertion and abort.

The testcase is probably font-dependent :(  I don't know why I'm having a hard time switching the testcase to a more predictable font or why some of the characters have to be punctuation rather than letters.
WFM, crashtest pushed.
Status: NEW → RESOLVED
Closed: 16 years ago
Flags: in-testsuite+
Resolution: --- → WORKSFORME
layout/generic/crashtests/412543-1.html
1.9.0 !exploitable report

PROBABLY_EXPLOITABLE: Probably Exploitable - Data from Faulting Address controls Code Flow starting at gklayout!IsPercentageAware
Group: core-security
Status: RESOLVED → REOPENED
Flags: blocking1.9.0.11?
OS: Mac OS X → Windows XP
Resolution: WORKSFORME → ---
So.... this is still WFM on trunk, right?
as far as I know at this point. sorry, i meant to change the version when i repurposed it for 1.9.0.

It is an enabled crash test on the trunk and would have been flagged there if it was failing at least in opt builds. I'll double check 1.9.1 and 1.9.2 next. My concern is this is a public crash test which could be mined for exploitable crashes on older branches.
Version: Trunk → 1.9.0 Branch
In a debug build this is a reliable and unexploitable null deref as described in the summary. In opt it's less clear, I consistently get the following stack which seems to be crashing in a strange spot:

bp-7a2e0a79-f088-44a7-b2ca-ea13d2090504
bp-40981db9-790e-4b0f-837c-a29552090504
Status: REOPENED → NEW
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.12?
Flags: blocking1.9.0.11?
Whiteboard: [sg:investigate]
qawanted: when did this crash "go away" on the trunk? What are potential fixing bugs?
Keywords: qawanted
Whiteboard: [sg:investigate] → [sg:investigate] fix-window-wanted
Flags: blocking1.9.0.12? → blocking1.9.0.12+
I see a gression range between 2008-07-02 and 2008-07-03 on trunk http://hg.mozilla.org/mozilla-central/pushloghtml?startdate=2008-07-02+02%3A00&enddate=2008-07-03+02%3A00, which suggests bug 399941. That was a largish patch which changed behaviour in a number of cases. Do we want to take the whole thing on 1.9.0 or try to find a subset of the patch which will prevent the crash?
There is also the possibility that the change in first-letter behaviour caused by 399941 masks the bug on trunk rather than solving it.
We don't really want all of bug 399941 on the branch, is it possible to come up with a smallish wallpaper patch? Following up to find a targeted fix might help us determine whether the problem is just masked or fixed on trunk, because if it's just masked there might be another way to expose it.
Keywords: qawanted
Whiteboard: [sg:investigate] fix-window-wanted → [sg:investigate]
I just updated my branch tree to start working on this and the bug seems to have become WORKSFORME. Can any one else confirm? Maybe bug 429968 fixed it?
Apparently so -- On WinXP I crash in an older 3.0.x but not in 3.0.11 beta.
Depends on: 429968
Flags: blocking1.9.0.12+
Keywords: fixed1.9.0.11
Whiteboard: [sg:investigate] → [sg:dupe 429969]
Checked the crashtest in to 1.9.0 and reresolving.
Status: NEW → RESOLVED
Closed: 16 years ago15 years ago
Resolution: --- → WORKSFORME
Flags: wanted1.9.0.x+
Flags: wanted1.9.0.x+
Flags: wanted1.8.1.x-
Group: core-security
Crash Signature: [@ IsPercentageAware]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: